revert temporary docker and trivy changes (#8833)

2026-03-29 13:01:51 -07:00
parent a95b8396e4
commit 00fcd5b828
3 changed files with 3 additions and 51 deletions
--- a/.github/workflows/container_latest.yml
+++ b/.github/workflows/container_latest.yml
@@ -26,7 +26,6 @@ on:

 permissions:
  contents: read
-  security-events: write

 jobs:
  setup:
@@ -150,48 +149,9 @@ jobs:
          # Remove Go build cache
          sudo rm -rf /tmp/go-build*

-  trivy-scan:
-    runs-on: ubuntu-latest
-    needs: [setup, build]
-    strategy:
-      matrix:
-        variant: ${{ fromJSON(needs.setup.outputs.variants) }}
-    steps:
-      - name: Configure variant
-        id: config
-        run: |
-          if [ "${{ matrix.variant }}" == "large_disk" ]; then
-            echo "tag_suffix=_large_disk" >> $GITHUB_OUTPUT
-          else
-            echo "tag_suffix=" >> $GITHUB_OUTPUT
-          fi
-      - name: Login to GHCR
-        uses: docker/login-action@v4
-        with:
-          registry: ghcr.io
-          username: ${{ secrets.GHCR_USERNAME }}
-          password: ${{ secrets.GHCR_TOKEN }}
-      - name: Run Trivy vulnerability scanner
-        # Pin to SHA — mutable tags were compromised (GHSA-69fq-xp46-6x23)
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
-        with:
-          # Scan amd64 only — OS packages are identical across architectures
-          # since they all use the same alpine base, so a single-arch scan
-          # provides sufficient coverage without multiplying CI time.
-          image-ref: ghcr.io/chrislusf/seaweedfs:${{ github.event_name == 'workflow_dispatch' && github.event.inputs.image_tag || 'latest' }}${{ steps.config.outputs.tag_suffix }}-amd64
-          format: sarif
-          output: trivy-results.sarif
-          severity: HIGH,CRITICAL
-          exit-code: '1'
-      - name: Upload Trivy scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: trivy-results.sarif
-
  create-manifest:
    runs-on: ubuntu-latest
-    needs: [setup, build, trivy-scan]
+    needs: [setup, build]
    if: github.event_name != 'pull_request'
    strategy:
      matrix: